Input: gtco - bounds check collection indent level

mainline inclusion from mainline-v5.2 commit 2a017fd8 category: bugfix bugzilla: 13690 CVE: CVE-2019-13631 ------------------------------------------------- The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: N Grant Hernandez <granthernandez@google.com> Cc: stable@vger.kernel.org Signed-off-by: N Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: N Yao Hongbo <yaohongbo@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

Input: gtco - bounds check collection indent level
mainline inclusion from mainline-v5.2 commit 2a017fd8 category: bugfix bugzilla: 13690 CVE: CVE-2019-13631 ------------------------------------------------- The GTCO tablet input driver configures itself from an HID report sent via USB during the initial enumeration process. Some debugging messages are generated during the parsing. A debugging message indentation counter is not bounds checked, leading to the ability for a specially crafted HID report to cause '-' and null bytes be written past the end of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG enabled, this code will not be optimized out. This was discovered during code review after a previous syzkaller bug was found in this driver. Signed-off-by: N Grant Hernandez <granthernandez@google.com> Cc: stable@vger.kernel.org Signed-off-by: N Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: N Yao Hongbo <yaohongbo@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
5b51050a · Grant Hernandez · Xie XiuQi · 5cbc7d01 · 5b51050a
隐藏空白更改
内联并排

Showing with 17 addition and 3 deletion

drivers/input/tablet/gtco.c drivers/input/tablet/gtco.c +17 -3

未找到文件。
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com
 /* Max size of a single report */
 #define REPORT_MAX_SIZE       10
+#define MAX_COLLECTION_LEVELS  10
 /* Bitmask whether pen is in range */
@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 	char  maintype = 'x';
 	char  globtype[12];
 	int   indent = 0;
-	char  indentstr[10] = "";
+	char  indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 };
 	dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n");
@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 			case TAG_MAIN_COL_START:
 				maintype = 'S';
+				if (indent == MAX_COLLECTION_LEVELS) {
+					dev_err(ddev, "Collection level %d would exceed limit of %d\n",
+						indent + 1,
+						MAX_COLLECTION_LEVELS);
+					break;
+				}
 				if (data == 0) {
 					dev_dbg(ddev, "======>>>>>> Physical\n");
 					strcpy(globtype, "Physical");
@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report,
 				break;
 			case TAG_MAIN_COL_END:
-				dev_dbg(ddev, "<<<<<<======\n");
 				maintype = 'E';
+				if (indent == 0) {
+					dev_err(ddev, "Collection level already at zero\n");
+					break;
+				}
+				dev_dbg(ddev, "<<<<<<======\n");
 				indent--;
 				for (x = 0; x < indent; x++)
 					indentstr[x] = '-';